(Don't) Return to Sender: How to Protect Yourself From Email Tracking

(Don't) Return to Sender: How to Protect Yourself From Email Tracking

Tracking is everywhere on the Internet. Over the past year, a drumbeat of tech-industryscandals has acclimated users to the sheer number of ways that personal information can be collected and leaked. As a result, it might not come as a surprise to learn that emails, too, can be vectors for tracking. Email senders can monitor who opens which emails, when, and what device they use to do it. If you work for a business or a non-profit that sends mass emails, maybe you’ve used tools to perform this kind of tracking before. Even if you have used them, this might be the first you’ve heard of it — because unfortunately, in email marketing software, tracking is often enabled by default.

There are a lot of different ways to track email, and different techniques can lie anywhere on the spectrum from marginally acceptable to atrocious. Responsible tracking should aggregate a minimal amount of anonymous data, similar to page hits: enough to let the sender get a sense of how well their campaign is doing without invading users’ privacy. Email tracking should always be disclosed up-front, and users should have a clear and easy way to opt out if they choose to. Lastly, organizations that track should minimize and delete user data as soon as possible according to an easy-to-understand data retention and privacy policy.

Unfortunately, that’s often not how it happens. Many senders, including the U.S. government, do email tracking clumsily. Bad email tracking is ubiquitous, secretive, pervasive, and leaky. It can expose sensitive information to third parties and sometimes even others on your network. According to a comprehensive study from 2017, 70% of mailing list emails contain tracking resources. To make matters worse, around 30% of mailing list emails also leak your email address to third party trackers when you open them. And although it wasn’t mentioned in the paper, a quick survey we did of the same email dataset they used reveals that around 80% of these links were over insecure, unencrypted HTTP.

In addition, several of these third-party email tracking technologies will try to share and correlate your email address across different emails that you open, and even across different websites that you visit, further shaping your invisible online profile. And since people often access their email from different devices, email address leaks allow trackers (and often network observers) to correlate your identity across devices.

It doesn’t have to be that way. For users, there are usually ways to “opt out” of tracking within your email client of choice. For mail client developers, including a few simple features can help protect your users’ privacy by default. And if you’re at an organization that does perform tracking, you can take a proactive approach to respecting user privacy and consent. Here are some friendly suggestions to help make tracking less pervasive, less creepy, and less leaky.

How can users protect themselves?

There are many popular email clients which behave differently and have different settings, so protections may vary. Here are some general guidelines for improving your email privacy and security hygiene.

Limit your email client’s image/resource loading.

A common tracking practice includes embedded links to “pixels” or other pieces of content that are hosted on a remote server. When your client tries to load the content, it sends out a request that allows you to be tracked. Blocking third-party resources limits the ability of email senders to track when you read or open emails. Some clients, including Thunderbird and Outlook, have it disabled by default, and both Gmail and Apple Mail allow you to disable it by choice. If you need to view images in a particular email, you can selectively turn on this feature for that particular email, but be aware that this allows email-open trackers to work.

For even more security, you can turn off HTML email completely. This will remove formatting from your emails, but it will completely stop any form of remote content tracking.

If you’re not sure how well your email client protects you, the Email Privacy Tester is a useful tool to check whether you’re vulnerable to a variety of different tracking techniques. For example, even though Gmail uses a proxy to serve images in emails, the privacy tester reveals that using Gmail won’t actually protect you from pixel tracking (though it will mask your IP address). Try using it to test each of your email clients, especially the one you use on your mobile phone.

Be careful when clicking links.

Don’t click links in email unless you absolutely have to, and try to view the link URL beforehand. This is good practice in general to avoid security risks like phishing as well as privacy-invasive tracking.

If you use a webmail client, standard web hygiene techniques work well for email also. To prevent email trackers from getting even more information about you, turn off third-party cookies in your browser and install a tracker-blocker like Privacy Badger. In addition, to prevent your email browsing behavior from being visible to ISPs and snoops on your network, limit your exposure to HTTP. You can use an extension like HTTPS Everywhere to block HTTP resources from loading by default.

How can email clients do more to protect their users?

Email clients should represent the interests of their users as they interact with the Internet. That includes using sensible protections by default and including strong privacy-preserving options for especially concerned users.

If they have the resources, clients can proxy content that’s embedded in emails, like Gmail does. It’s not perfect, but has some security and privacy benefits, like preventing HTTP requests from leaking onto the network, blocking cookies, and hiding IP address and User Agent information from the tracker. If you’re a client developer, there’s even more that you can do.

Tracking should be opt-in, not opt-out, so if you don’t already, turn off remote content loading for your users by default. At the very least, you can give your users the option to do this. Also, give users the ability to turn off HTML email. You can check for any further leaks on your client using the Email Privacy Tester.

Even if your users regularly employ end-to-end encryption, after decrypting the email, clients often render the email as they would a regular one, so you’ll still need to think about these tracking protections.

How can email senders respect their readers?

The need for feedback on email campaigns drives the ubiquity of pixel and link tracking, and many of these techniques have been used for decades. But it’s unfortunately rare to see these tracking technologies being implemented securely and responsibly. Here’s how to make sure the analytics tools on your email campaign respect and protect users’ privacy.

Rule #1: use TLS!

An astounding number of link-tracking domains are served over HTTP, and many large email senders don’t use STARTTLS. Make sure your links are over HTTPS, and that your mail server supports outgoing STARTTLS. There’s no reason network eavesdroppers should know what mailing lists folks are subscribed to when users open their emails or their email-link browsing history.

Don’t obfuscate your links.

The practice of obfuscating tracked links is especially dangerous, as it trains your readers to click unrecognizable links. This can lead users to click suspicious links from phishers. 91% of cyberattacks start with a phishing email, and normalizing suspicious-looking links in email makes life easier for phishers.

Lastly, and most importantly, think before you track.

Who are you exposing your readers’ private information to? Do you really need to embed their email addresses in your URLs? At what privacy cost do “insightful analytics” come at? Nothing about counting the number of visitors coming to your site via email is inherently bad. But do you really need to store exactly who clicked which link from which email? Campaigns can get quite a bit of signal without invading their users’ privacy and trust just from aggregated counting, rather than individualized tracking of every user’s interaction. And think twice before hiring a third-party service to do your tracking for you. Read their privacy policy, and make sure you’re not selling out your users’ data for a few useful numbers.

Email sanitation, security, and privacy is a team effort. Stay vigilant, and keep good email hygiene!

Related Updates

If you are one of WhatsApp’s billion-plus users, you may have read that on Monday the company announced that it had found a vulnerability. This vulnerability allowed an attacker to remotely upload malicious code onto a phone by sending packets of data that look like phone calls from a...

Over the next few years, the Department of Homeland Security (DHS) plans to implement an enormous biometric collection program which will endanger the rights of citizens and foreigners alike. The agency intends to collect at least seven types of biometric identifiers, including face and voice data, DNA, scars, and tattoos...

For years, Xinjiang has been a testbed for the Chinese government’s novel digital and physical surveillance tactics, as well as human rights abuses. But there is still a lot that the international human rights community doesn’t know, especially when it comes to post-2016 Xinjiang. Last Wednesday, Human Rights Watch...

Do you know where you were five years ago? Did you have an Android phone at the time? It turns out Google might know—and it might be telling law enforcement. In a new article, the New York Times details a little-known technique increasingly used by law enforcement to figure...

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

Emails Prove ICE Could Access Data from Orange County Shopping Malls, Despite the Companies' Denials In response to an ACLU report on how law enforcement agencies share information collected by automated license plate readers (ALPRs) with Immigration and Customs Enforcement, officials have been quick to denyand...